From: W. Trevor King Date: Thu, 13 Feb 2014 16:47:20 +0000 (-0800) Subject: nmbug-status: Escape &, <, and > in HTML display data X-Git-Tag: 0.18_rc0~146 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=aaa7f0d92ee9c876c38da43be5c49e8d5c73a99b;p=notmuch.git nmbug-status: Escape &, <, and > in HTML display data 'message-id' and 'from' now have sensitive characters escaped using xml.sax.saxutils.escape [1]. The 'subject' data was already being converted to a link into Gmane; I've escape()d that too, so it doesn't need to be handled ain the same block as 'message-id' and 'from'. This prevents broken HTML by if subjects etc. contain characters that would otherwise be interpreted as HTML markup. [1]: http://docs.python.org/3/library/xml.sax.utils.html#xml.sax.saxutils.escape --- diff --git a/devel/nmbug/nmbug-status b/devel/nmbug/nmbug-status index 6a156af2..1c390e6d 100755 --- a/devel/nmbug/nmbug-status +++ b/devel/nmbug/nmbug-status @@ -24,6 +24,7 @@ import os import re import sys import subprocess +import xml.sax.saxutils _ENCODING = locale.getpreferredencoding() or sys.getdefaultencoding() @@ -226,11 +227,14 @@ class HtmlPage (Page): if 'subject' in display_data and 'message-id' in display_data: d = { 'message-id': quote(display_data['message-id']), - 'subject': display_data['subject'], + 'subject': xml.sax.saxutils.escape(display_data['subject']), } display_data['subject'] = ( '{subject}' ).format(**d) + for key in ['message-id', 'from']: + if key in display_data: + display_data[key] = xml.sax.saxutils.escape(display_data[key]) return (running_data, display_data) def _slug(self, string):